Regulating data sharing (Part I) – How will the EU Data Act impact your business?
by Fabio Barbero on 27 Jan 2022
In 2025, the value of the data economy in the European Union will be comparable to the GDP of the Netherlands. The actual impact that data will have on European economies and societies, however, will depend as much on technological advancements as on the rules that will govern data use and data sharing. In February 2022, the European Commission is expected to publish a proposal for a Regulation to facilitate data sharing and use between companies (business-to-business, or B2B) and between businesses and governments (business-to-government, or B2G). Known as the Data Act, this long-awaited initiative will have far-reaching impacts on companies, the public sector, and consumers. In this two-part series, we look at what issues the Data Act should address to harness the value of data while ensuring innovation, property rights, and privacy. This blog focuses on business-to-business data-sharing.
Finding the right balance
Data has a peculiar characteristic, called non-rivalry: multiple individuals can use the same data without it being used up. Data can be shared and reused for another purpose, and two datasets can be merged into a larger one to extract more value than the information contained in each of them separately. Data can be shared for various purposes: to design innovative products and services; for supply chain optimization; to train algorithms for artificial intelligence; for predictive maintenance, and others. While the value of data is unquestionable, companies do not share their data lightly. Concerns include market imbalances between the sharing parties; legal considerations (for example, fear of misappropriating trade secrets, lack of trusted contracts for data sharing, privacy concerns); and technical hurdles (for example, different data formats and lack of standards). These and other concerns may hinder data sharing.
Promoting data sharing translates into a dilemma: legal frameworks with strict conditions for sharing data lead to underutilisation of these data, while very loose conditions can leave companies with no incentive to invest in collecting the data. How can the Data Act find the right balance?
What the Data Act should consider
The Data Act needs to address the barriers that limit B2B data sharing, as well as provide incentives. To strike the right balance in B2B, the Data Act should include the elements below.
- Address market imbalances. B2B data sharing is predicated on the data holder having an incentive to share data and that the negotiating power of the parties is comparable. When this is not the case, however, the strongest party could impose unfair conditions that may make access to data difficult or onerous. This could particularly impact SMEs and start-ups, and the Data Act needs to ensure that data sharing contracts cater for these scenarios. European policy makers will need to determine what can be regarded as unfair in data sharing contexts to preserve both competition and incentives for sharing and to develop template agreements that facilitate routine data sharing for small and medium companies. Transparency obligations related to how shared data will be used will be a key part of such contracts.
- Go beyond traditional contracts. Given the risks of breaching privacy legislation and the uncertainties of dispute settlements, traditional contracts do not necessarily offer the trust and legal certainty required to incentivise data sharing. To address these issues, the Data Act could promote the understanding, use, and acceptance of smart contracts, which are based on blockchain technology (and therefore tamper-proof) and are distributed among all the members of a network. Another solution could be the creation of data spaces, which allow organisations to share data without a central data store through shared interfaces and standards, secure authentication, and governance layers that define who can access which data (for example, restricting access to a competitor’s data). In 2020, the European strategy for data already mentioned data spaces for sectors such as health, mobility, financial services, or energy. The Alan Turing Institute put forward a similar concept, the idea of ‘data heavens’, cloud-based repositories where data access is managed based on layers of sensitivity. Regardless of the technical implementation, the Data Act will need to clarify a number of elements: how smart contracts can be promoted; and who can use data in data spaces, for which purposes, how often, and at what cost.
- Preserve trade secrets and personal data rights. Any data sharing agreement should respect the protection of personal data and trade secrets, and data sharing that breaches these provisions should not be possible without consent. Access rights should be granted to both consumers and businesses, who must be able to access the data they generate when using a product or service. When it comes to personal data, the General Data Protection Regulation (GDPR) already recognises a right to access one’s personal data as well as a right to data portability (a right to transfer data from one service to another). The Data Act could facilitate these rights, setting interoperability standards and specifying technical processes and requirements.
- Update database rights. With the Data Act, the Commission plans to revise the 1996 Database Directive. The revised Directive should, among other things, ensure that machine-generated data is accessible to everyone to enable companies, governments and researchers to innovate, make public decisions, and conduct scientific research based on these data.
- Consider sectoral regulations and voluntary schemes. The Data Act is envisaged as a ‘horizontal’ regulation, applying to businesses across sectors. However, sectorial frameworks would be necessary to define data access rights and ensure flexibility for each sector. Any new rules will need to be consistent with proposed and planned sectoral regulations (such as the review of the Intelligent Transport Systems Directive and the establishment of a ‘common European mobility data space’, announced in the Sustainable and Smart Mobility Strategy.). It will also be important to draw lessons from voluntary data sharing schemes. The not-for-profit coalition International Data Spaces Association (IDSA), for example, has published a reference architecture model and application programming interface (API) specifications for data spaces. Based on the IDSA framework, carmakers Daimler and BMW have created a data-sharing network called Catena-X, while the Dutch Smart Connected Supplier Network promotes data sharing in the supply chain of high-tech equipment manufacturing. The Data Act will need to avoid new obligations, technical standards, and governance models that impose burdens on companies that already share data as part of their business models.
After an initial setback (the European Commission’s Regulatory Scrutiny Board halted the Data Act publication in November 2011 for reasons related to B2G data sharing, as our next blog will explain), the European Commission is expected to publish a revised draft Data Act at the end of February 2022.
Given its horizontal nature and the numerous interests at stake, the European Parliament and the Council of the EU will likely be paying close attention to this file. At the European Parliament, the Committee on Industry, Research and Energy (ITRE), the Committee on the Internal Market and Consumer Protection (IMCO), and the Committee on Civil Liberties, Justice and Home Affairs (LIBE) will likely be involved on agreeing the Act. In the Council, work might begin under the French Presidency, but with the Digital Services Act and the Digital Markets Act being priorities in the sphere of tech regulation, the Czech Presidency will probably take the lead in finalising the Council’s position.
With more and more companies and governments using data in their business models or decision-making, virtually everyone will need to keep an eye on how data sharing will be regulated in the EU. Inline Policy will be following the Data Act throughout the European legislative process.
If you have any questions about data policy, or are interested in an informal chat, please contact us at firstname.lastname@example.org